DOCSLIB.ORG

A Firewall Model of File System Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Firewall Model of File System Security Michigan Technological University Digital Commons @ Michigan Tech Dissertations, Master's Theses and Master's Dissertations, Master's Theses and Master's Reports - Open Reports 2014 A FIREWALL MODEL OF FILE SYSTEM SECURITY Lihui Hu Michigan Technological University Follow this and additional works at: https://digitalcommons.mtu.edu/etds Part of the Computer Sciences Commons Copyright 2014 Lihui Hu Recommended Citation Hu, Lihui, "A FIREWALL MODEL OF FILE SYSTEM SECURITY", Dissertation, Michigan Technological University, 2014. https://doi.org/10.37099/mtu.dc.etds/786 Follow this and additional works at: https://digitalcommons.mtu.edu/etds Part of the Computer Sciences Commons A FIREWALL MODEL OF FILE SYSTEM SECURITY By Lihui Hu A DISSERTATION Submitted in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY In Computer Science MICHIGAN TECHNOLOGICAL UNIVERSITY 2014 This dissertation has been approved in partial fulfillment of the requirements for the Degree of DOCTOR OF PHILOSOPHY in Computer Science. Department of Computer Science Thesis Advisor: Dr. Jean Mayo Committee Member: Dr. Steve Carr Committee Member: Dr. Soner Onder Committee Member: Dr. Haiying Liu Department Chair: Dr. Charles Wallace Table of Contents List of Figures .................................................................................................................. viii List of Tables ..................................................................................................................... ix Acknowledgements ..............................................................................................................x Preface................................................................................................................................ xi Abstract ............................................................................................................................. xii 1. Introduction ......................................................................................................................1 2. Background ......................................................................................................................5 2.1 UNIX/Linux Operating Systems................................................................................5 2.2 File System, Super Block, Inode................................................................................6 2.3 Virtual File System (VFS) .........................................................................................7 2.4 Terminology in Access Control .................................................................................8 2.4.1 Subject and Object ..............................................................................................8 2.4.2 MAC and DAC ...................................................................................................9 2.4.3 Principles of Computer Security .........................................................................9 2.5 Access Control Models, Schemes and Extensions ..................................................10 2.5.1 Multilevel Security ............................................................................................10 2.5.2 Access Control Matrix ......................................................................................10 2.5.3 Access Control Lists .........................................................................................11 2.5.4 Capabilities .......................................................................................................11 2.5.5 Domain and Type Enforcement (DTE) .............................................................11 2.5.6 Role Based Access Control (RBAC) ................................................................12 2.5.7 Locks and Keys .................................................................................................13 2.6 HRU Model and the Safety Problem .......................................................................14 2.6.1 HRU Model .......................................................................................................14 2.6.2 The Safety Problem ...........................................................................................15 iii 2.7 Network Firewall .....................................................................................................16 2.8 Current File System Protection ................................................................................17 2.8.1 Basic Security Scheme ......................................................................................17 2.8.2 Unix/Linux Security Modules and Extensions .................................................18 3. Related Work .................................................................................................................20 3.1 Linux Security Module ............................................................................................20 3.2 Rule-Set Based Access Control ...............................................................................21 3.3 Attribute Based Access Control ...............................................................................22 3.4 Sandboxing ..............................................................................................................22 3.5 Redirecting FileSystem ............................................................................................23 3.6 Other Proposals ........................................................................................................23 4. File System Firewall Model ...........................................................................................26 4.1 Motivation ................................................................................................................26 4.1.1 Accommodate Complicated Access Control Requirements .............................26 4.1.2 Integrity Protection of the File System .............................................................27 4.1.3 Ease of Administration .....................................................................................30 4.1.4 MAC for Specified Subjects and Objects .........................................................31 4.1.5 Redirection ........................................................................................................32 4.1.6 Flexibility ..........................................................................................................32 4.2 The Definitions of Firewall Model ..........................................................................32 4.2.1 File System Firewall (FSF) ...............................................................................33 4.2.2 Filter Rules ........................................................................................................34 4.2.3 Three Types of Filter Rules ..............................................................................35 4.3 Features and Usage ..................................................................................................35 4.3.1 MAC Control ....................................................................................................35 4.3.2 Conditional Access Control with Multiple Attributes ......................................35 4.3.3 Ease of Adoption and Administration ...............................................................36 iv 4.3.4 Redirection ........................................................................................................36 4.3.5 Usage .................................................................................................................37 4.4 The Operational Specifications of the Firewall Model ............................................37 4.4.1 Definitions of Basic Components .....................................................................37 4.4.2 Operational Specifications ................................................................................40 5. Prototype Implementation and Performance Test ..........................................................43 5.1 Possible Approaches ................................................................................................43 5.1.1 Stackable File System .......................................................................................43 5.1.2 Linux Security Module (LSM) .........................................................................45 5.2 Components .............................................................................................................45 5.3 Design Concern ........................................................................................................46 5.4 The Prototype of the Firewall Model .......................................................................46 5.4.1 The Implementation of the Prototype ...............................................................47 5.4.2 Work Flow ........................................................................................................49 5.4.3 The Structure of the Prototype ..........................................................................50 5.4.4 Filter Rule Set Management .............................................................................51 5.5 Performance Test .....................................................................................................53 5.5.1 Filter Rule Loading ...........................................................................................53 5.5.2
Load more

Recommended publications
  • Administrative Role-Based Access Control on Top of Security Enhanced Linux
    Administrative Role-Based Access Control on Top of Security Enhanced Linux Ayla Solomon Submitted in Partial Fulfillment of the Prerequisite for Honors in Computer Science June 2009 Copyright Ayla Solomon, 2009 Abstract In a time when the Internet is increasingly dangerous and software is increasingly com- plex, properly securing one’s system has become a widespread concern, especially for system administrators. There are a number of ways to secure a Linux system; these methods vary in effectiveness and usability. Regular Linux discretionary access control is suitable for most mundane tasks and is easy to use, but it fails to confine insecure programs that run with administrative powers and is difficult to scale. Security Enhanced Linux (SELinux) is an extension to the Linux kernel that provides fine-grained controls for preventing malicious agents from exploiting software vulnerabilities. It can be very effective, but its policy lan- guage is extremely low-level and its paradigm difficult to understand and use. This makes it difficult to map a high-level idea of a security policy to what needs to be done in SELinux, which rules out its use to a vast majority of people with Linux systems, including system administrators, though many attempts have been made to make it more usable. I have designed and partially implemented a system on top of SELinux to implement administrative role-based access control (ARBAC), which is not available on any Linux system. ARBAC is an intuitive, flexible, and scalable security paradigm well suited for user confinement, especially for very large systems with many users. ARBAC’s main advan- tages are not only in its intuitive structure but also its built-in administrator confinement mechanism: its very structure promotes separation of privilege amongst administrators.
    [Show full text]
  • Linux OS-Level Security Nikitas Angelinas
    Linux OS-Level Security Nikitas Angelinas MSST 2015 Agenda ● SELinux ● SELinux issues ● Audit subsystem ● Audit issues ● Further OS hardening 2 SELinux ● Security-Enhanced Linux ● Is NOT a Linux distribution ● A kernel feature ● A Linux Security Module (LSM) ● security fields in kernel data structures — processes, files, directories, sockets, IPC, and other OS objects ● hooks on all paths from userspace — return a binary predicate: allowed or not allowed (e.g. EACCES) 3 SELinux ● SELinux is a labeling system ● Every process has a label ● Every OS object has a label ● Policy rules control access between processes and objects, based on their labels ● Policy rules are enforced by the kernel ● The objective is to contain misbehaving/compromised userspace applications 4 SELinux policy management application interface userspace open(2) kernel error checks selinuxfs DAC checks cache Allowed? miss? Security Server LSM hook Access Vector Cache (Policy Rules and Access Decision Logic) Yes/No return SELinux 5 SELinux ● Mandatory Access Control ● vs. Discretionary Access Control (file ownership, permissions) ● Labels are of the form user:role:type:level ● e.g. process: /usr/sbin/sshd → system_u:object_r:sshd_exec_t:s0 ● e.g. file: /root/ssh/* → root:object_r:ssh_home_t ● SELinux implements LSM hooks and offers: ● Role-based Access Control ● Type Enforcement ● Multi-Level Security 6 SELinux labels and rules ● ls -Z /usr/sbin/sshd -rwxr-xr-x. root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd ● ls -Z /root/.ssh/id_rsa -rw-------. root root root:object_r:ssh_home_t /root/.ssh/id_rsa ● ls -Z /etc/ssh/sshd_config -rw-------. root root system_u:object_r:etc_t /etc/ssh/sshd_config ● ls -Z /var/run/sshd.pid -rw-------.
    [Show full text]
  • Security Architecture
    COVER STORY RSBAC Architecture of Rule Set Based Access Control (RSBAC) Security Architecture inux security holes typically occur Integrating multiple security models simultaneously in the kernel and in Server programs and S bit tools. LThe best approach would be to detailed logs of any access:The free Rule Set Based Access Control avoid mistakes and update programs immediately if a bug occurs. This is not (RSBAC) security System offers customized protection for a wide range always possible, the next best thing is to of requirements. BY AMON OTT restrict potential damage, and this is where access control systems such as RSBAC come into play [1]. If an attacker exploits the security holes in servers or s bit tools, access to the system should be restricted to a minimum. In this case, even a successful compromise will cause only limited damage, and protective mechanisms can be implemented directly in the operating system kernel. The standard Linux kernel prevents access to various resources such as files, directories or system configurations, but unfortunately the standard mechanisms are fraught with weaknesses: •Poor granularity Ro • Discretionary access control nald Raefle , visipix.com • An all-powerful root user Linux access controls only offer the standard privileges read, write and execute; additionally they only allow distinct privileges to be defined for the owner of a file, the members of a group and all others. Restrictions typically do account used to run that process. kernel a while back, allow a program not apply to the root user. The Thus, an attacker, if fortunate, can launched by root to drop some granularity of these privileges is thus manipulate any files belonging to the privileges, but this is left up to the insufficient for many tasks.
    [Show full text]
  • I. RSBAC Theory
    The RSBAC library The RSBAC library Copyright © 2003 Amon Ott, Stanislav Ievlev and Henk Klöpping The RSBAC introduction Amon Ott Stanislav Ievlev Heinrich W. Klöpping The RSBAC introduction by Amon Ott, Stanislav Ievlev, and Heinrich W. Klöpping Audience: This book is intended for use by experienced and skilled Unix professionals who wish to install, configure and use RSBAC. Approach: This book resulted from a project founded on June 28th, 2002 by Amon Ott, Stanislav Ievlev and Henk Klöpping. It provides an introduction to Rule Set Based Access control (RSBAC). If you are new to RSBAC, this book is the place to start reading. It provides an overview of what RSBAC is and how it can be employed. It is aimed at both potential users of RSBAC and programmers that would like to enhance the software by writing their own modules - or even changing the software itself. This book also introduces its companions: The RSBAC cookbook, The RSBAC reference manual, The RSBAC programmers cookbook and The RSBAC programmers reference manual. To learn where the latest version of this book can be downloaded or read please refer to Section 6.2. Sources: Our sources of information were (Open Source) material on the Internet, several books, practical experience of the authors , research and programming work done by the authors and others. We try to give credit where due, but are fallible. We apologize. Caution While every precaution was made in the preparation of this book, we can assume no responsibility for errors or omissions. When you feel we have not given you proper credit or feel we may have violated your rights or when you have suggestions how we may improve our work please notify us immediately so we can take corrective actions.
    [Show full text]
  • Case Study: Building a Secure Operating System for Linux
    121 C H A P T E R 9 Case Study: Building a Secure Operating System for Linux The Linux operating system is a complete reimplementation of the POSIX interface initiated by Linus Torvalds [187]. Linux gained popularity throughout the 1990s, resulting in the promotion of Linux as a viable alternative to Windows, particularly for server systems (e.g., web servers). As Linux achieved acceptance, variety of efforts began to address the security problems of traditional UNIX systems (see Chapter 4). In this chapter, we describe the resulting approach for enforcing mandatory access control, the Linux Security Modules (LSM) framework. The LSM framework defines a reference monitor interface for Linux behind which a variety of reference monitor imple- mentations are possible. We also examine one of the LSM reference monitors, Security-enhanced Linux (SELinux), and evaluate how it uses the LSM framework to implement the reference monitor guarantees of Chapter 2. 9.1 LINUX SECURITY MODULES The Linux Security Modules (LSM) framework is a reference monitor system for the Linux ker- nel [342]. The LSM framework consists of two parts, a reference monitor interface integrated into the mainline Linux kernel (since version 2.6) and a reference monitor module, called an LSM, that implements reference monitor function (i.e., authorization module and policy store, see Chapter 2 for the reference monitor concept definition) behind that interface. Several independent modules have been developed for the LSM framework [228, 183, 127, 229] to implement different forms of reference monitor function (e.g., different policy modules). We examine the LSM reference monitor interface in this section, and one of its LSMs, Security-Enhanced Linux (SELinux) [229] in the subsequent section.
    [Show full text]
  • Security-Enhanced Linux
    Information Assurance Research Group Security-Enhanced Linux Peter Loscocco Information Assurance Research Group National Security Agency [email protected] 4/6/01 1 Information Assurance Research Group Outline Importance of secure operating systems Security-enhanced Linux Related work Conclusions 4/6/01 2 Information Assurance Research Group Importance of Secure OS Growing need for security Flawed assumption of security OS is correct level to provide security Key feature: Mandatory Access Control (MAC) • Access to objects controlled by policy administrator • Users/processes may not change access policy • All accesses are mediated w.r.t. the policy 4/6/01 3 Information Assurance Research Group Mandatory Security: Key Gains Provides critical support for application security • Protects against tampering with secured application • Protects against bypass of secured application • Enables assured pipelines Provides strong separation of applications • Permits safe execution of untrustworthy applications • Limits scope of potential damage due to penetration of applications • Functional uses: isolated testing environments or insulated development environments Protects information from • Legitimate users with limited authorization • Authorized users unwittingly using malicious applications 4/6/01 4 Information Assurance Research Group Why not just DAC? Decisions are only based on user identity and ownership Each user has complete discretion over his objects Only two major categories of users: user and superuser Many system services and privileged
    [Show full text]
  • Kiegészítő Linux Kernel Biztonsági Megoldások Összehasonlítása
    Kiegészítő Linux kernel biztonsági megoldások összehasonlítása A kiegészítő kernelbiztonsági megoldásokra irányuló vizsgálódásaim azzal kezdődtek, hogy egy SLES11 SP1 szerveren olyan formán szerettem volna üzemeltetni a cron démont, hogy a közönséges felhasználók időzített feladatai erősen korlátozott jogokkal fussanak, a rendszerfeladatok viszont nagyjából korlátoktól mentesen. Arra gondoltam, hogy ezt a célt egy mandatory access control (a továbbiakban MAC) rendszer használatával érem el. Használhatnám ugyan a kiterjesztett attribútumokra épülő POSIX ACL-eket is, amelyeket ha kiegészítünk az utóbbi időben egyre inkább használhatóvá váló Linux capability-kkel, akkor az ACL-ek néhány idegesítő gyengeségétől eltekintve elfogadható védelmi rendszert kaphatunk, de egy MAC rendszer használata mégis kézenfekvőbbnek tűnik. Tulajdonképpen mi is egy MAC rendszer? A Wikipédia definíciója, és a hozzáférés-vezérlésben elfoglalt helye szerint kizárólagosan rendszergazdai irányítás alatt álló, a többi felhasználó belátására (discretion) nem alapozó, centralizál hozzáférés-vezérlési rendszer, és mint ilyen, a Discretionary Access Control (DAC), vagyis a hagyományos (pl. Windows/UNIX), elosztott felelősségvállaláson alapuló fájlrenszer-jogosultsági rendszer ellentétpárja. Már a Wikipédia is felhívja azonban a figyelmet arra, hogy a MAC név történelmi okokból szorosan egybeforrt a fenti definíció szerinti rendszerek egy konkrét típusával, nevezetesen a Multilevel Security (MLS, újabban MLS/MCS) rendszerekével, mégpedig oly mértékben, hogy több - általam
    [Show full text]
  • Differentiating Between Access Control Terms WP
    Differentiating Between Access Control Terms Understanding User and Role Based Access Control, Policy Based Access Control, Content Dependent Access Control, Context Based Access Control, View Based Access Control, Discretionary and Mandatory Access Control Access Control White Paper Table of Contents INTRODUCTION 3 USER BASED ACCESS CONTROL (UBAC) 4 ROLE BASED ACCESS CONTROL (RBAC) 4 POLICY BASED ACCESS CONTROL 5 CONTENT DEPENDENT ACCESS CONTROL (CDAC) 6 CONTEXT BASED ACCESS CONTROL (CBAC 6 VIEW BASED ACCESS CONTROL (VBAC) 7 MANDATORY & DISCRETIONARY ACCESS CONTROL (MAC AND DAC) 8 THE BOTTOM LINE 9 LEGAL NOTICE 12 2 Access Control White Paper 1. INTRODUCTION Access control, by the broadest definition, is the ultimate goal of all network security – granting access when appropriate and denying when inappropriate. Access control tools help accomplish this purpose, as do firewalls, encryption, and intrusion detection. In light of the true mission of network security, however, having the right access control tool is absolutely essential. Almost every network has some form of access control, even if it is merely that of the native operating systems – some networks have several access control tools that protect different resources. The various types of access control tools enforce security policy and/or users’ privileges by protecting mail servers, web applications, database systems, fileservers, applications, or some combination of these resources. In fact, there are so many types of access control tools and so many non-standardized terms to describe them that it is difficult to determine which solution is right for a given network. An understanding of the more common usages of these terms can make it easier to discern between the basic types of solutions available .
    [Show full text]
  • Access Control Model and Policies for Collaborative Environments
    Hasso–Plattner–Institut fuer Softwaresystemtechnik an der Universitaet Potsdam Access Control Model and Policies for Collaborative Environments Dissertation zur Erlangung des akademischen Grades “Doctor rerum naturalium” (Dr. rer. nat.) am Fachgebiet Internet Technologien und Systeme eingereicht an der Mathematisch–Naturwissenschaftlichen Fakultaet der Universitaet Potsdam von Wei Zhou Potsdam 2008 Abstract To effectively participate in modern collaborations, member organizations must be able to share specific data and functionality with the collaborative partners, while ensuring their resources are safe from inappropriate access. This requires access control models, policies, and enforcement mechanisms for collaborative systems. This thesis describes my research work that concerns two important issues in collaborative systems: access control model and policies. Team and Task based RBAC (TT-RBAC) Model. TT-RBAC extends the Role-Based Access Control (RBAC) model through adding sets of two basic data elements called teams and tasks. TT-RBAC model as a whole is defined in terms of individual users being assigned to roles and teams, roles and tasks being assigned to teams, and permissions being assigned to roles and tasks. By virtue of team membership, users get access to team’s resources specified by assigned tasks. However, for each user, the exact permissions he/she obtains to a team’s resources will be determined by his/her roles and current activity of the team. The team defines a small and specific RBAC application zone, through which we can preserve the advantages of scalable security administration that RBAC-style models offer and yet offers the flexibility to specify fine-grained control on individual users in certain roles and on individual object instances.
    [Show full text]
  • Access Control Methodologies
    chapple02 10/12/04 7:59 AM Page 25 CHAPTER 2 Access Control Methodologies After reading this chapter, you will be able to: I Understand access control basics I Discuss access control techniques I Recognize and compare access control models I Contrast various identification and authentication techniques I Recognize common attacks and implement controls to prevent them This chapter presents various methods and techniques for controlling users’ access to system resources. You’ll learn about different approaches to help ensure that only authorized users can access secured resources. This chapter also covers the basics of access control, general methods and tech- niques used to manage access to resources, and some common attacks that are launched against access control systems. 2.1 Basics of Access Control Access control is a collection of methods and components used to protect information assets. Although some information is and should be accessible by everyone, you will most likely need to restrict access to other information. Access control supports both the confidentiality and the integrity properties of a secure system. The confidentiality property protects information from unauthorized disclosure. You use access control to ensure that only author- ized users can view information. The integrity property protects information chapple02 10/12/04 7:59 AM Page 26 26 CHAPTER 2 Access Control Methodologies from unauthorized modification. Access control gives you the ability to dic- tate what information a user can both view and modify. Before you can implement a sound access control policy, you must first develop a plan. Here are a few questions you need to answer: I How do I separate restricted information from unrestricted information? I What methods should I use to identify users who request access to restricted information? I What is the best way to permit only users I authorize to access restricted information? I Where do I start? 2.1.1 Subjects and Objects Access control is all about, well, controlling access.
    [Show full text]
  • A Comprehensive Analysis of MAC Enhancements for Leveraging Distributed MAC
    Proceedings of the International MultiConference of Engineers and Computer Scientists 2008 Vol I IMECS 2008, 19-21 March, 2008, Hong Kong A Comprehensive Analysis of MAC Enhancements for Leveraging Distributed MAC Shahbaz khan1, Muhammad Amin2, Muhammad Nauman3, Tamleek Ali4 Abstract—Increased dependability of users, businesses and This course-grained security may allow malicious software government on computing systems for research and computa- access to many critical components of the system once an tions on sensitive data raises serious issues regarding security. individual user’s critical information has been compromised Operating systems conventionally provide Discretionary Access Control (DAC, superuser logic) to maintain security. Malicious [1]. users and applications are major threats to organizations and DAC seriously fails to address the required level of security. Mandatory Access Control (MAC) mechanisms address Former research has proven that enforcement of Mandatory these deficiencies. MAC enforces a system-wide security, Access Control (MAC, security labels/contexts for subjects and which is a manifestation of the organization’s security policy. objects) restricts the malicious agents to their own domain, thus In simple words MAC can be defined as “the definition eliminating risk of damage it can cause to rest of the system and of policy logic and the assignment of security attributes or data. MAC implementations depend upon access control mecha- labels to all resources of a system, tightly controlled by a nisms. These mechanisms are added to operating systems as system security administrator [2].” From another perspective kernel enhancements. There are four prominent kernel enhance- we can also say that MAC is the dynamic or runtime secure ments: RSBAC, SELinux, GRSecurity and AppArmor.
    [Show full text]
  • A Framework for Enhanced Linux System Security
    RSBAC - a framework for enhanced Linux system security Marek Jawurek¤ RWTH-Aachen Abstract Based Access Control (RSBAC) comes into play. The RS- BAC kernel-extension was developed in 1997 by Amon Ott Operating systems traditionally bring their own means as his diploma work and is in stable production since 2000. of protection against any kind of threats. But often the sys- It introduces a security framework designed to install dif- tem's security is based on an evolved composition of differ- ferent security models dynamically into a Linux system in ent projects and tools, historically grown with their operat- order to control access to system resources. ing system, ensuring and controlling system security. There- fore only rarely a coherent security solution is provided by 1.1 This work's focus the system. This existing structure of security suffers from different problems and inconsistencies, caused by its evolu- Four major different approaches to Linux security exist: tion, and often lacks universality due to bad or shortsighted SELinux, grsecurity, LIDS and RSBAC. A direct compari- design decisions in its history. son between these would be desirable but is due to the fol- The RSBAC framework is focused on the elimination of lowing reasons not feasible: these drawbacks in Linux kernels and has been designed The different approaches classify them- this way from its start. It introduces a modular framework Classification selves differently (kernel patch, security framework, to allow fine-grained access control enabling system admin- etc.). istrators to compose a system using a combination of the preferred security models. This paper presents the RSBAC Interpretation Each improvement to Linux security has a approach and outlines RSBAC's concept of integration into different understanding of a 'Secure Linux System'.
    [Show full text]